Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus or Rootkit that disables Scanners etc.


  • This topic is locked This topic is locked
12 replies to this topic

#1 BohoGypsy

BohoGypsy

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 29 July 2013 - 09:10 PM

Hello,

 

I was directed over here from http://www.bleepingcomputer.com/forums/t/502661/infected-with-viruses-or-rootkits-that-wont-let-me-remove-have-tried-everything/

 

My original post:

 

"My computer is infected with several viruses or a root-kit that I cannot get rid of, and I have tried everything. I am ready to throw my laptop out the window. I am running windows vista on a dell Inspiron 1525. I knew I had a virus when Firefox kept freezing and ctrl alt dlt did not work. I attempted to reset Firefox, updated plugins (one was the java that was considered to be vulnerable) and reset my winsock. After this my whole computer started freezing, even in safe mode, and then I would have to manually restart and get black screen with blinking cursor before F8. I tried scanning with Malwarebytes (chameleon too) mbr rootkit, avast, sophos etc. And all find infected files, but as soon as they do they freeze and I am forced to manually shut down. This also happens in safe modes. I tried Mcafee rootkit and it found nothing, while Kaspersky rootkit found and successfully quar. items, but scan still froze. Avast always gets to 93% where the others freeze in a few min. I downloaded rogue killer and it found items in my hkey, but as soon as I clicked delete and scanned again, they were still there. I then tried downloading rkill, which ran and then re-downloaded Malwarebytes and named it a different .exe. But it still finds infected files and freezes. How can I get did of this if I cant scan???? Please help. I am so frustrated. Oh, and also if I leave during scans and don't tap computer, it goes to a black unresponsive screen (and I have no screensaver set)"

 

I followed the link provided in link above and started at step 6. Here are the DDS logs. Any help would be appreciated, as this computer is driving me nuts. I should also note that last year while I was traveling in the Europe and UK, my computer was infected with Google redirect and after recovery (I believe a sector was removed from hardrive)--at least that is what the computer gurus said.....

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:06 PM

Posted 30 July 2013 - 07:05 PM

Hello and welcome to BleepingComputer! 
 
 
 
I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce. 
 
 
As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us. 
 
If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature). 
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.
 
 
 
Please generate other DDS logs (download it from here if you haven't already) and post them in your next reply along with other changes that may have occured since you last posted.
Also download and run GMER from this link:http://www.gmer.net/gmer.zip
 
 
 
Thank you very much for your patience. 
 
 
 
 
Regards,
 
Elle

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 BohoGypsy

BohoGypsy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 30 July 2013 - 07:21 PM

Thank you for taking this on! Here are the new updated DDS logs. I am currently running GMER at the moment {I assume it takes awhile for a scan}. I will post that as soon as it has finished. There have been no system changes since my original post.

 

Katelynn

Attached Files



#4 BohoGypsy

BohoGypsy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 30 July 2013 - 07:47 PM

Here is a copy of GMER scan--it indicates rootkit activity.

Attached Files

  • Attached File  GMER.txt   43.84KB   4 downloads


#5 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:06 PM

Posted 31 July 2013 - 04:39 PM

Hi there,

 

 

 

Let's try this first. :)

 

 

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

 

 

Elle 


Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#6 BohoGypsy

BohoGypsy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 31 July 2013 - 05:08 PM

I ran this and it said nothing found....I did run it a few weeks ago and it found and quarantined items but I still had all those problems.



#7 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:06 PM

Posted 01 August 2013 - 05:14 PM

Hi there,
 
 
Please download Farbar Recovery Scan Tool and save it to your desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  •  


  • Double-click to run it. When the tool opens click Yes to disclaimer.


  • Press Scan button.


  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.


  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

 

 

 

Elle 


Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#8 BohoGypsy

BohoGypsy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 01 August 2013 - 09:48 PM

Here are the two logs...

Attached Files



#9 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:06 PM

Posted 03 August 2013 - 03:50 AM

Hi there, 

 

 

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

 

 

 

 

Elle 


Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#10 BohoGypsy

BohoGypsy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 04 August 2013 - 03:26 PM

I would like to go ahead and get the machine clean and get it off please.



#11 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:06 PM

Posted 06 August 2013 - 03:31 AM

Hi there,

 

 

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.
 

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

 

 

 

 

Elle 


Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#12 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:06 PM

Posted 08 August 2013 - 08:29 AM

Hi there,

 

 

 

Do you still need help?  Please let me know, otherwise in around 72 hours, this topic will be closed.

 

 

 

 

Elle 


Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#13 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:06 PM

Posted 11 August 2013 - 06:33 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users